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CLAIMS 



WHAT IS CLAIMED IS : 

Jl a memory management unit for managing a memory storing data arranged within a 
plurality of memory pages, the memory management unit comprising: 

\ a security check unit coupled to receive a physical address generated during execution 
\ of a current instruction, wherein the physical address resides within a selected 
\ memory page, and wherein the security check unit is configured to use the 
\ physical address to access at least one security attribute data structure located 
\ in the memory to obtain a security attribute of the selected memory page, to 
Gompare a numerical value conveyed by a security attribute of the current 
inkruction to a numerical value conveyed by the security attribute of the 
selected memory page, and to produce an output signal dependent upon a 
result of the comparison; and 

wherein the memory mahagement unit is configured to access the selected memory page 
dependent upon the output signal. 

2. The memory management\unit as recited in claim 1, wherein the at least one security 
attribute data structure comprises a security attribute table directory and at least one security 
attribute table. \ 

3. The memory management unit asVecited in claim 2, wherein the security attribute table 
directory comprises a plurality of entriesXand where each entry of the security attribute table 
directory includes a present bit and a security attribute table base address field, and wherein 
the present bit indicates whether or not a secitfky attribute table corresponding to the security 
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attribute table directory entry is present in the memory, and wherein the security attribute 
base address field is reserved for a base address of the security attribute table 
corresponding to the security attribute table directory entry. 



4. They memory management unit as recited in claim 2, wherein the at least one security 
attribute t^ble comprises a plurality of entries, and where each entry of the security attribute 
table includes a security context identification (SCID) field, and wherein the SCID field 
includes a plurality of bit positions, and wherein the bit positions form a binary representation 
of an SCID val\je, and wherein the SCID value is an integer value greater than or equal to 0, 
ifO and wherein the^CID value indicates a security context level of a corresponding memory 
- page. 



If 

ti. 

I 



5. The memory management unit as recited in claim 1, wherein the security attribute of the 
selected memory page cc^mprises a security context identification (SCID) value, and wherein 
1 15 the SCID value is an inte^r value greater than or equal to 0 and indicates a security context 
level of the selected memoryypage. 



20 



6. The memory management miit as recited in claim 1, wherein the security attribute of the 
current instruction comprises a security context identification (SCID) value, and wherein the 
SCID value is an integer value greater than or equal to 0 and indicates a security context level 
of a memory page containing the current instruction. 



7. The memory management unit as recited in claim 1 , wherein the security check logic is 
configured to obtain the security attribute \of the current instruction from the at least one 
25 security attribute data structure. 
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8\ The memory management imit as recited in claim 1, wherein the output signal is a fault 
sign^. 



5 9. The n\emory management unit as recited in claim 1, wherein the security check unit is 
configured ta receive a set of security attributes of the selected memory page in addition to 
the security attidbute of selected memory page, and to produce the output signal dependent 
upon: (i) the resmt of the comparison of the numerical value conveyed by the security 
attribute of the curr^t instruction to the numerical value conveyed by the security attribute of 
1 0 selected memory page\ and (ii) the set of security attributes of the selected memory page. 

10. The memory management unit as recited in claim 9, wherein the set of security attributes 
of the selected memory pageVomprise a user/supervisor (U/S) bit and a read/write (R/W) bit 
as defined by the x86 processor architecture, and wherein U/S=0 indicates the selected 
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1 5 memory page is an operating system memory page and corresponds to a supervisor level of 



1^ 



the operating system, and whereirh U/S=l indicates the selected memory page is a user 
memory page and corresponds to a user level of the operating system,, and wherein R/W=0 
indicates only read accesses are allowea\to the selected memory page, and wherein RAV=1 
indicates that both read and write accesses are allowed to the selected memory page. 



11. A central processing unit, comprising: 



25 



an execution unit operably coupled to a memory, wherein the execution unit is 
configured to fetch instructions from\the memory and to execute the 
instructions; and 
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memory management unit (MMU) operably coupled to the memory and configured 
to manage the memory, wherein the MMU is configurable to manage the 
memory such that the memory stores data arranged within a plurality of 
memory pages, and wherein the MMU comprises: 



m 



security check unit coupled to receive a physical address generated by the 
execution unit during execution of a current instruction, wherein the 
physical address resides within a selected memory page, and wherein 
the security check unit is configured to use the physical address to 
access at least one security attribute data structure located in the 
lemory to obtain a security attribute of the selected memory page, to 
compare a numerical value conveyed by a security attribute of the 
current instruction to a numerical value conveyed by the security 
attribute of selected memory page, and to produce an output signal 
depenident upon a result of the comparison; and 



wherein the MMU is configured to access the selected memory page 
dependent upon the output signal. 



12. A computer system, comprising: 



a memory for storing data, wherein the data includes instructions; 



a central processing unit (CPU), opmprising: 
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an exWution unit operably coupled to the memory, wherein the execution unit 
\s configured to fetch instructions from the memory and to execute the 
inWuctions; and 

a memory nmnagement unit (MMU) operably coupled to the memory and 
configured to manage the memory, wherein the MMU is configurable 
to managa the memory such that the memory stores the data arranged 
within a plurality of memory pages, and wherein the MMU comprises: 

a security checK unit coupled to receive a physical address generated 
by the ex&cution unit during execution of a current instruction, 
wherein thA physical address resides within a selected memory 
page, and wnerein the security check imit is configured to use 
the physical adaress to access at least one security attribute data 
structure located in the memory to obtain a security attribute of 
the selected memory page, to compare a numerical value 
conveyed by a security attribute of the current instruction to a 
numerical value conveyed by the security attribute of selected 
memory page, and to produce an output signal dependent upon 
a result of the comparison;\and 

wherein the MMU is configured t& access the selected memory page 
dependent upon the output signal. 
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A memory management unit for managing a memory storing data arranged within a 
lity of memory pages, the memory management unit comprising: 

a Imaging unit coupled to the memory and to receive a linear address produced during 
execution of a current instruction, and configured to use the linear address to 
Droduce a physical address within a selected memory page, wherein the paging 
^it is configured to use the linear address to access at least one paged 
memory data structure located in the memory to obtain security attributes of 
the selected memory page, and wherein the paging unit is configured to 
produce V fault signal dependent upon the security attributes of the selected 
memory paae, and wherein the paging unit comprises: 

a security chec^unit coupled to receive the physical address, and wherein the 
security cnfeck unit is configured to use the physical address to access 
at least one security attribute data structure located in the memory to 
obtain an additional security attribute of the selected memory page, to 
compare a numerical value conveyed by a security attribute of the 
current instruction t^\a^ numerical value conveyed by the additional 
security attribute of selected memory page, and to produce an output 
signal dependent upon a resklt of the comparison; and 



wherein the memory management unit Ms configured to access the selected 
memory page dependent upon the output signal. 
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4. The memory management unit as recited in claim 13, wherein the at least one security 
attribute data structure comprises a security attribute table directory and at least one security 
attrinute table. 



15. The memory management unit as recited in claim 14, wherein the security attribute table 
directory comprises a plurality of entries, and where each entry of the security attribute table 
directory inckides a present bit and a security attribute table base address field, and wherein 
the present bit mdicates whether or not a security attribute table corresponding to the security 
attribute table directory entry is present in the memory, and wherein the security attribute 
table base address field is reserved for a base address of the security attribute table 
corresponding to thAsecurity attribute table directory entry. 



il5 
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16. The memory management unit as recited in claim 14, wherein the at least one security 
attribute table comprises >a plurality of entries, and where each entry of the security attribute 
table includes a security context identification (SCID) field, and wherein the SCID field 
includes a plurality of bit positions, and wherein the bit positions form a binary representation 
of an SCID value, and wherein^the SCID value is an integer value greater than or equal to 0, 
and wherein the SCID value indicates a security context level of a corresponding memory 
page. 

17. The memory management unit as\ recited in claim 13, wherein the additional security 
attribute of the selected memory page ctomprises a security context identification (SCID) 
value, and wherein the SCID value is an integer value greater than or equal to 0 and indicates 
a security context level of the selected memoiV page. 



25 
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8. The memory management unit as recited in claim 13, wherein the security attribute of 
tha current instruction comprises a security context identification (SCID) value, and wherein 
the SCID value is an integer value greater than or equal to 0 and indicates a security context 
level of a memory page containing the current instruction. 

19. The memory management unit as recited in claim 13, wherein the security check unit is 
coupled to receive a current privilege level (CPL) of a current task including the current 
instruction, and to produce the output signal dependent upon: (i) the result of the comparison 
of the numerical Values conveyed by the security attribute of the current instruction and the 
security attribute oiVselected memory page, and (ii) the CPL of the current task including the 
current instruction. \ 

20. The memory management unit as recited in claim 13, wherein the physical address 
within the selected memory, page includes a base address and an offset, and wherein the 
paging unit is configvired to oBlain the base address from the at least one paged memory data 
structure. \ 

21. The memory management unit as recited in claim 13, wherein the at leeist one paged 
memory data structure comprises a page directory and at least one page table as defined by 
the x86 processor architecture. Ny^ 

22. The memory management unit as recited\n claim 13, wherein the security attributes of 
the selected memory page comprise a user/supen/isor (U/S) bit and a read/write (R/W) bit as 
defined by the x86 processor architecture, and wherein U/S=0 indicates the selected memory 
page is an operating system memory page and corresponds to a supervisor level of the 
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crating system, and wherein U/S=l indicates the selected memory page is a user memory 
pageyand corresponds to a user level of the operating system, and wherein R/W=0 indicates 
only re^ accesses are allowed to the selected memory page, and wherein R/W=l indicates 
that both read and write accesses are allowed to the selected memory page. 



23. A memorAmanagement unit for managing a memory storing data arranged within a 
plurality of memory pages, the memory management unit comprising: 



0 



a paging unit coiipled to the memory and to receive a linear address produced during 
execution of a current instruction residing within a first memory page, wherein 
the paging unit is configured to use the linear address to produce a physical 
address accessed by the current instruction, and wherein the physical address 
includes a base adJlress of a selected memory page and an offset, and wherein 
the paging unit is (Configured to access at least one paged memory data 
structure located in tha memory using the linear address to obtain the base 
address and security attrimites of the selected memory page, and wherein the 
paging unit is configured toVeceive a security attribute of the instruction, and 
wherein the paging imit is contigured to produce a fault signal dependent upon 
the security attribute of the instruction and the security attributes of the 
selected memory page, and wherein me paging unit comprises: 



:5 



a security check unit coupled to recfeive the security attribute of the 
instruction, the security attributes of me selected memory page, and the 
physical address within the selected memory page, and wherein the 
security check unit is configured to use th^ physical address to access 
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it least one security attribute data structure located in the memory to 
oblain an additional security attribute of the selected memory page, to 
compare a numerical value conveyed by a security attribute of the 
current instruction to a numerical value conveyed by the additional 
security attribute of selected memory page, and to produce an output 
signal dependent upon a result of the comparison; and 



wherein the memow management unit is configured to access the selected 
memory page i^ependent upon the output signal. 

10 

24. The memory management unit asVecited in claim 23, wherein the at least one paged 
memory data structure comprises a page\directory and at least one page table as defined by 
the x86 processor architecture. 

15 25. The memory management unit as recitea in claim 23, wherein the security attribute of 
the current instruction comprises a current pnvilege level (CPL) of a task including the 
current instruction as defined by the x86 processorvarchitecture. 



26. The memory management unit as recited in clairn^23, wherein the security attributes of 
20 the selected memory page comprise a user/supervisor YU/S) bit a read/write (RAV) bit as 
defined by the x86 processor architecture, and wherein U/1b=0 indicates the selected memory 
page is an operating system memory page and corresponds to a supervisor level of the 
operating system, and wherein U/S=l indicates the selected memory page is a user memory 
page and corresponds to a user level of the operating system, and wherein R/W=0 indicates 
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^ly read accesses are allowed to the selected memory page, and wherein R/W=l indicates 
tha\ both read and write accesses are allowed to the selected memory page. 

27. THe memory management unit as recited in claim 23, wherein the additional security 
attributeXof the selected memory page comprises a security context identification (SCID) 
value, and wherein the SCID value is an integer value greater than or equal to 0 and indicates 
a security context level of the selected memory page. 

28. The memorjt management unit as recited in claim 23, wherein the security attribute of 
the current instruction comprises a security context identification (SCID) value, and wherein 
the SCID value is aA integer value greater than or equal to 0 and indicates a security context 
level of the first memoW page containing the current instruction. 

29. The memory management unit as recited in claim 23, wherein the at least one security 
attribute data structure comprises a security attribute table directory and at least one security 
attribute table. \ 

30. The memory management unit\as recited in claim 29, wherein the security attribute table 
directory comprises a plurality of entides, and where each entry of the security attribute table 
directory includes a present bit and a security attribute table base address field, and wherein 
the present bit indicates whether or not a isecurity attribute table corresponding to the security 
attribute table directory entry is present iAthe memory, and wherein the security attribute 
table base address field is reserved for aXbase address of the security attribute table 
corresponding to the security attribute table directory entry. 
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The memory management unit as recited in claim 29, wherein the at least one security 
attribute table comprises a plurality of entries, and where each entry of the security attribute 
table includes security context identification (SCID) field, and wherein the SCID field 
includes a plurality of bit positions, and wherein the bit positions form a binary representation 
of an SCID vMue, and wherein the SCID value is an integer value greater than or equal to 0, 
and wherein the^CID value indicates a security context level of a corresponding memory 
page. 



32. A method for providine access security for a memory used to store data arranged within 
10 a plurality of memory pages, the method comprising: 

receiving a linear address pwpduced during execution of an instruction and a security 
attribute of the instruc^on, wherein the instruction resides in a first memory 
page; 



15 



using the linear address to access at least one paged memory data structure located in 
the memory to obtain a base address of a selected memory page and security 
attributes of the selected memory page; 



20 



combining the base address of the selected memoW page with an offset to produce a 
physical address within the selected memoryypage if the security attribute of 
the instruction and the security attributes of the^elected memory page indicate 
the access is authorized; 
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perating a fault signal if the security attribute of the instruction and the security 
attributes of the selected memory page indicate the access is not authorized; 



accessing at least one security attribute data structure located in the memory using the 
physical address of the selected memory page to obtain an additional security 
attribme of the first memory page and an additional security attribute of the 
selectecmnemory page; 

comparing a numerical value conveyed by an additional security attribute of the first 
memory page\ to a numerical value conveyed by the additional security 
attribute of selected memory page; and 

accessing the selected memory page dependent upon a result of the comparing of the 
numerical values conveyed by the security attribute of the first memory page 
and the additional securiW attribute of selected memory page. 

33. The method as recited in claim 32, wherein the receiving comprises: 

receiving a linear address produced during execution of an instruction and a security 
attribute of the instruction, wherein the instruction resides in a first memory 
page, and wherein the security attribute of the instruction comprises a current 
privilege level (CPL) of a task including the instruction as defined by the x86 
processor architecture. \ 



34. The method as recited in claim 32, wherein the using comtorises: 
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^ing the linear address to access at least one paged memory data structure located in 
the memory to obtain a base address of a selected memory page and security 
^attributes of the selected memory page, wherein the at least one paged 
Memory data structure comprises a page directory and at least one page table 
as defined by the x86 processor architecture. 



35. The method as recdted in claim 31, wherein the combining comprises: 

combining the bas^ address of the selected memory page with an offset to produce a 
physical address within the selected memory page if the security attribute of 
the instruction aiid the security attributes of the selected memory page indicate 
the access is authWized, wherein the security attributes of the selected memory 
page comprise a useo-Zsupervisor (U/S) bit a read/write (R/W) bit as defined by 
the x86 processor alK:hitectvire, and wherein U/S=0 indicates the selected 
memory page is an operating system memory page and corresponds to a 
supervisor level of the operating system, and wherein U/S=l indicates the 
selected memory page is a user memory page and corresponds to a user level 
of the operating system, and wherein R/W==0 indicates only read accesses are 
allowed to the selected memoryWge, and wherein R/W=l indicates that both 
read and write accesses are allowed to the selected memory page. 



36. The method as recited in claim 31, wherein the generating comprises: 
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\^ g^erating a fault signal if the security attribute of the instruction and the security 
attributes of the selected memory page indicate the access is not authorized, 
Sjvherein the fault signal is a general protection fault (GPF) signal as defined by 
x86 processor architecture. 

5 

37. The method as re\ited in claim 31, wherein the accessing comprises: 



10 
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accessing at least one security attribute data structure located in the memory using the 
physical address of the selected memory page to obtain an additional security 
attribute of the ftot memory page and an additional security attribute of the 
selected memory page, wherein the at least one security attribute data structure 
comprises a security attribute table directory and at least one security attribute 
table, and wherein the aoditional security attribute of the first memory page 
comprises a security contexVidentification (SCID) value of the first memory 
page, and wherein the SCID vakie of the first memory page is an integer value 
greater than or equal to 0 and indicates a security context level of the first 
memory page, and wherein the adoitional security attribute of the selected 
memory page comprises a security context identification (SCID) value of the 
selected memory page, and wherein the SCID value of the selected memory 
page is an integer value greater than or equal to 0 and indicates a security 
context level of the selected memory page. 



Page 39 of 40 



